CA证书自签单向验证Openssl命令
//openssl 下载
//https://slproweb.com/products/Win32OpenSSL.html
openssl
//生成key
genrsa -des3 -out server.key 2048 //需要输入密码
req -new -key server.key -out server.csr //common name填写域名,不正确填写会被报警告
//去密码
rsa -in server.key -out server_no_passwd.key
//生成证书
x509 -req -days 365 -in server.csr -signkey server_no_passwd.key -out server.crt
// export 1. server_no_passwd.key 2. server.crt
应用
//服务器
cred, err := credentials.NewServerTLSFromFile("keys/server.crt", "keys/server.key")
grpc.NewServer(grpc.Creds(cred))
//客户端
cred, err := credentials.NewClientTLSFromFile("keys/server.crt", "localhost") //参数二等同 common name
grpc.Dial(":8888",grpc.WithTransportCredentials(cred))
grpc server_http
//s.Serve(conn)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
s.ServeHTTP(w, r)
})
http.ListenAndServeTLS(":8888","keys/server.crt", "keys/server.key",nil)
CA证书自签双向验证Openssl命令
//使用CA证书
genrsa -out ca.key 2048
req -new -x509 -days 3650 -key ca.key -out ca.pem
//生成服务器证书
genrsa -out server.key 2048
req -new -key server.key -out server.csr
x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
//生成客户端
ecparam -genkey -name secp384r1 -out client.key
req -new -key client.key -out client.csr
x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
应用
//服务器 (不能使用serveHttp)
cert, _ := tls.LoadX509KeyPair("cert/server.pem", "cert/server.key")
certPool := x509.NewCertPool()
ca, _ := ioutil.ReadFile("cert/ca.pem")
certPool.AppendCertsFromPEM(ca)
cred := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: certPool,
})
//客户端
cert, _ := tls.LoadX509KeyPair("cert/client.pem", "cert/client.key")
certPool := x509.NewCertPool()
ca, _ := ioutil.ReadFile("cert/ca.pem")
certPool.AppendCertsFromPEM(ca)
cred := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
ServerName: "localhost",
RootCAs: certPool,
})
grpc-gateway使用
//安装
go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
go get -u github.com/golang/protobuf/protoc-gen-go
//proto file修改 例如
syntax = "proto3";
package services;
import "google/api/annotations.proto";
message Request{
string name = 1;
}
message Response {
string msg = 1;
}
service Greeter{
rpc Hello(Request) returns (Response){
option (google.api.http) = {
get: "/v1/greeter/{name}"
};
}
}
//** 可以将引入的proto文件拷贝到编写的proto目录中,这样可以在生成时节省编写包含目录
//文件生成
protoc --go_out=plugins=grpc:. *.proto
protoc --grpc-gateway_out=logtostderr=true:. *.proto
//http 网关服务器编写
//(GetClientCreds 为上述客户端Creds生成代码封装)
//localhost:8888 为grpc服务器绑定地址
//8081为网关服务器绑定端口
gwmux := runtime.NewServeMux()
opts := []grpc.DialOption{grpc.WithTransportCredentials(GetClientCreds())}
services.RegisterGreeterHandlerFromEndpoint(context.Background(),gwmux,"localhost:8888",opts)
httpServer := http.Server{
Addr: ":8081",
Handler: gwmux,
}
fmt.Println(httpServer.ListenAndServe())
//测试 使用浏览器访问
localhost:8081/v1/greeter/jack
gRpc字段验证
//下载
github.com/envoyproxy/protoc-gen-validate
//修改proto文件
import "validate.proto";
message People{
string name = 1;
int32 age = 2[(validate.rules).int32.gt = 18];
}
//生成
protoc --go_out=plugins=grpc:. --validate_out=lang=go:. *.proto
//验证代码
err := req.People.Validate()
//...
网友评论